How one small American VPN company is trying to stand up for privacy

In recent months, I’ve started to take my own digital security much more seriously. I encrypt my e-mail when possible, I’ve moved away from Gmail, and I’ve become much more vigilant about using a VPN nearly all the time. Just as cryptographers and security researchers are auditing tools like TrueCrypt, I’ve started to kick the tires of the products that I rely upon on a daily basis.

When I lived in Germany between 2010 and 2012, my wife and I paid $40 a year for a commercial VPN so we could continue to watch Hulu. But upon our return stateside, I kept paying for it anyway, for privacy-minded reasons. There are lots of VPNs out there, but the one I use is Private Internet Access (PIA).

Why PIA? No particular reason, really. I don’t remember exactly how I came to choose it, but I remember seeing it in a roundup of VPNs listed on TorrentFreak. I now use PIA nearly every day, almost all the time, and that got me wondering: how does the company respond to real-world legal requests? Has it ever been compelled to hand over user data? Were those users ever notified?

Unfortunately, Private Internet Access’ website doesn’t really make clear who is behind its site. The site’s footer points to London Trust Media, which also provides nothing more than an e-mail address. A little searching led me to find, and then get in touch with, the CEO of London Trust Media, Andrew Lee—one of the firm's two owners.

Lee has a background in the world of Bitcoin (he was one of the original founders of Mt. Gox), but he has had an interest in online privacy for years. PIA has been around since August 2009. Today, it has around 100,000 users. Assuming that each of them is paying $40 per year for service, that works out to about $4 million in annual revenue. (As we’ve reported before, there’s money in privacy!)

“We don’t log, period.”

One of PIA’s biggest selling points (like other VPN providers) is that it does not log anything, and thus has little data to actually hand over to law enforcement.

“We’ve never been asked for keys, nor [have we] handed over user data,” Lee told Ars. “What happens is that if anybody asks us for information, first and foremost, we confirm that they are a legit agency or government body that has any jurisdiction to even attempt to ask for that data. Then we go through and see that that complies with the letter and the spirit of the law. We don’t have any logs whatsoever. We don’t log metadata [or] session data either. We will comply with anything, but we can’t comply because we do not provide any logs. We don’t log, period.”

Of course, one of the biggest problems is that there’s essentially no way for me to verify PIA’s (or anyone else’s) practices. Lots of VPN firms claim not to log, and I’d like to believe them, but there’s really no way for me to know for sure that Lee can’t see that I’m loading Ars about 100 times a day.

Lee also told me that his firm has spoken with the Electronic Frontier Foundation (EFF) and other related groups to try to come up with a third-party audit system that would attempt to alleviate this exact problem. That way, ordinary consumers like me would at least have a little bit more of a reason to trust that no logs are being kept.

“You have to trust the VPN—they have access to your data,” Dan Auerbach of the EFF told Ars. “Even if they’re really good, the government can come in and say we have a warrant... You have to take it on faith that there will be no CALEA-type orders, [where] the government will come in and say you have to come in and do logging. This is the reason that Tor was developed, was that people realized that we want some sort of anonymity service that doesn't require you to trust just one party. That’s the basic problem with VPNs.”

But even Auerbach admitted that he uses VPNs over Tor on a regular basis for this exact reason: while Tor offers robust security protection, it’s difficult to use and significantly slows down one’s Internet connection.

“If there could be some sort of check against governments coming in and being able to do that, like some sort of third-party auditing—that would be great,” he added. “I think it’s a really challenging problem, and we don’t know how to solve it. Suppose the third-party is in the same legal jurisdiction, then it’s easy for a court to say that you two both have to comply with this order, and you can’t tell anyone, so then you’re back in a situation where the third-party auditor didn’t exist.”

More transparency is more better

Enlarge/ John Arsenault is the company lawyer for Private Internet Access.

For my more precise legal questions, Lee referred me to his in-house counsel, John Arsenault. The Colorado-based attorney has some experience in the tech world as an intellectual property lawyer who fought against copyright troll Righthaven.

Arsenault joined PIA as the company’s Digital Millennium Copyright Act (DMCA) agent in March 2012 and became a full-time employee as of December 2012.

He told Ars that since his tenure at the company, PIA has received a total of 11 requests for user data, including three requests from outside the United States. Arsenault declined to name the countries involved, but he said that they were “primarily European countries,” and he added that he’s unaware of any legal requests that PIA might have received before 2012.

[ars_sidebar class="right" title="Read a subpoena"]Arsenault provided Ars with a redacted example of one request for data, along with the company's response.[/ars_sidebar]

Arsenault has said that the company has never handed over any user data, as it does not log traffic. He said that PIA has never been ordered to log any user data, nor has it received a National Security Letter, nor has it been compelled to handover SSL keys.

Further, as its IP addresses are shared, hundreds of subscribers are likely to be using one IP address at a time, so it would be impossible to separate out a single user’s behavior.

“The data that was requested is usually items like traffic log and history, user account information—in the case of the [requests] that we’ve had, it’s always related to an IP address,” he said.

Like Lee, Arsenault said that the first consideration is whether the request falls within the company’s jurisdiction, and if it does not, the company rejects it.

So has PIA received any legal request from an American federal authority?

“We are processing a request now, but that’s still yet to be determined because it is a federal question, and we will fight it the best we can in that regard. I can’t tell you what the outcome is going to be. I cannot comment on it at this time. This is the first request that we have received in that regard, yes.”

But he added that PIA would treat this federal request no differently than others it had received in the past.

“We’ve done our legal research and are comfortable with the jurisdiction of the United States for the time being, and others that have been in the news and might be concerned, we disagree with that interpretation [to leave the US], and so I think we’re very comfortable operating in the US given the circumstances,” Arsenault added. “If it came down to it, we do have a contingency plan, were the climate in the US to turn against us and our interests.”

And would PIA be open to starting a transparency report, as many other larger tech companies have done?

“Yes, and that is something we have been exploring since late summer, and we’re moving in that direction—hopefully by the end of the year,” Arsenault said.

Another way to increase consumer confidence would be for PIA and other VPN providers to publish a “warrant canary.”

The idea is that a company could publish a notice saying that a warrant has not been served as of a particular date. Should that notice be taken down, then users are to surmise that it indeed has been served with one. The theory is that while a court can compel someone to not speak (a gag order), it cannot compel someone to lie.

The only problem is, warrant canaries have yet to be fully tested in court.

“It’s something that I believe would be beneficial for building trust with consumers,” Arsenault noted.

So, at the end of the day, I'm going to stick with Private Internet Access for now—but as always, caveat emptor.

Promoted Comments

1) If you're the only guy on the server, then even though they don't log, you can still get DMCA notices. Yes, there exists such a thing as a real-time DMCA and if you're the only guy using the server (on my VPN service, it's quite possible as there are tons of servers), well, it's obvious where the traffic comes from. Of course, this only applies to real-time DMCAs - after you log off, there's no record of who to send the DMCA to so it dies right there. So if you're torrenting, you might want to disconnect and reconnect every hour or more, or pick a busier server (if there's two or more people, you can't definitively say who's doing it and are safe).

Just because they don't log, doesn't mean they can't find out who's on the server, and if you're the only one the split second the guys issue a DMCA notice, well..

2) You're still vulnerable to metadata spying - encryption or not. Send an email through and the NSA can still harvest your contact list that way by observing who you send email to and receive it from.

I've used PIA for almost two years. Living in a rural area my ISP speed is fairly slow. I was concerned about the overhead of a VPN and at first it seemed to give my connection speed a hit, but recently I have not noticed this at all. Of course there are a lot of different congestion factors to consider, but at least for now PIA does not seem to be offering any.

I am quite pleased with the service and at just over $3 a month (annual sub), a no brainer.

70 Reader Comments

I use PIA to watch stuff on UK and Canadian TV websites. Plus the encryption keeps Comcast out of my business. I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

I've used PIA for almost two years. Living in a rural area my ISP speed is fairly slow. I was concerned about the overhead of a VPN and at first it seemed to give my connection speed a hit, but recently I have not noticed this at all. Of course there are a lot of different congestion factors to consider, but at least for now PIA does not seem to be offering any.

I am quite pleased with the service and at just over $3 a month (annual sub), a no brainer.

I use PIA to watch stuff on UK and Canadian TV websites. Plus the encryption keeps Comcast out of my business. I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

I use PIA to watch stuff on UK and Canadian TV websites. Plus the encryption keeps Comcast out of my business. I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

Well, we know that subpoena request didn't come from Virginia or Massachusetts. It says "people of the state of ____" instead of "the commonwealth of ____."

I've used AirVPN before and it's always worked quite well for me. It's based somewhere in the EU (you pay in Euros but they take paypal), allows for very short term use (you can sign up for as little as three days of service at a time), and is very fast. I didn't notice any appreciable difference in my connection speed when using it.

You actually need these companies to appear in person (or on YouTube) or at the very least post a revised statement on their website every month stating that they have not received any NSA letters, or general warrants to surrender keys etc.

If they stopped posting that information, we would all know that they have received such a demand, but couldn't speak about it.

1) If you're the only guy on the server, then even though they don't log, you can still get DMCA notices. Yes, there exists such a thing as a real-time DMCA and if you're the only guy using the server (on my VPN service, it's quite possible as there are tons of servers), well, it's obvious where the traffic comes from. Of course, this only applies to real-time DMCAs - after you log off, there's no record of who to send the DMCA to so it dies right there. So if you're torrenting, you might want to disconnect and reconnect every hour or more, or pick a busier server (if there's two or more people, you can't definitively say who's doing it and are safe).

Just because they don't log, doesn't mean they can't find out who's on the server, and if you're the only one the split second the guys issue a DMCA notice, well..

2) You're still vulnerable to metadata spying - encryption or not. Send an email through and the NSA can still harvest your contact list that way by observing who you send email to and receive it from.

Thank you for this article! I've been a customer for a few months now. Very easy signup and configuration and when I use the node closet to me, my actual download speed increases (on Comcast). What I really like is the 'separation of concerns' here as I'm on a shared connection. What I do should never impact what others are legitimately or no are doing here. My traffic can be pointed out immediately as I always use the service here (physically).

When I was looking over the list on Torrentfreak, revised and prior version, PIA stood out for not having logs and having been around for a while. Also the blended IP traffic was a huge plus; getting lost in the thundering heard is one of TOR's few remaining virtues, and I had already written it off my list due to the unknown host problem. At least here, I do know who I do had some idea of who I was getting service from and, thanks to this timely article (!), an even better idea of whose stand behind the service. Assuringly formidable.

Aside: BBC iPlayer. Awesome!

Note: I am not using this service to insure that my communications are strictly private. I've been operating under the assumption that I am monitored. Seriously, no 'tin-foil' hat. It's just that my clearance is not something revocable; somethings I never will be able to talk about and it ain't war-crimes or the like. Just engineering. It's a question of who can monitor, and if they need to work at it a bit, I'll just smile.

You actually need these companies to appear in person (or on YouTube) or at the very least post a revised statement on their website every month stating that they have not received any NSA letters, or general warrants to surrender keys etc.

If they stopped posting that information, we would all know that they have received such a demand, but couldn't speak about it.

Actually, since you have no idea of the trustworthiness of the source (come-on, Google is YouTube, a now known bad actor, literally!) of your assurance. It's just like key-chains when you really examine the issue. So I wish I could give you two and 1/2 points ;-).

Yeah I've been using pia for couple years too and very happy with ease of use and their privacy policy.. And their rates. Good service. Rare these days. And when I'm feeling particularly paranoid, using pia on top of tor really gives one a sense of peace. . Not only https'd and bounced thru few severs, also then routed thru tor nodes feels pretty dang anonymous and secure. Unless u do something dumb like hit a honeypot that will serve u malware js that returns your true ip. Not much to do about that. Sigh.

One thing I don't know is if pia utilizes pfs to their servers. Hope so.

I have been using HMA (Hide My Ass) for the last year until I recently ran into connection speed issues. In the last month my internet speeds began to slow to a crawl while they had been very good before. Also certain websites I do my banking with would not accept any connections from the IP addresses that HMA was assigning to me.

I'm using Time Warner Cable in New York City and utilize the 30 Mbps / 5 Mbps connection and it was great until a month or so ago.

Any thoughts on HMA and/or what TWC-NYC might be doing to make my life miserable?

By the way, another tool I've been using is DNSCrypt. Apparently even though you are on a VPN, DNS requests can still be unencrypted so this encrypts DNS traffic between you and OpenDNS (if you're using their DNS hosting).

Legal Loophole for service providers to alert customers to secret government probes?

Service providers are legally compelled to NOT SAY anything when they get the letters.

Service providers are not legally compelled to CONTINUE saying things, at a guess.

So: if the service provider, like a VPN, each day pledges that they have not received any secret legal probes, but then one day fails to say anything, they still have not said anything to disclose the legal action, they have in fact committed absolutely nothing, which I doubt is a crime. And if it is a crime, then I think that would be quite interesting. I guess that a very carefully drafted order could compel them to continue claiming they are free of secret legal obligations, but I also suspect there would be a plenty good chance the secret order wouldn't be that carefully considered, there would be no "thou must continue pledging" clause, and the service provider would be safe to discontinue their pledge of freedom.

"The data that was requested is usually items like traffic log and history, user account information—in the case of the [requests] that we've had, it’s always related to an IP address"

Indeed, as the subpoena's request & response show, law enforcement goes all the way to try to single out a person, attempting to gather every single bit of his/her personal information, in proper(sic) coercive fashion.

Likewise, the VPN's response is, in -Fuck you very much- type font:

"Said IP is shared by many Joe Does at the same time". (So suck a big hard digital cock. Yours truly. Attorney X. Alpha Male Law LLC.) <--That's the [REDACTED] bit

So, how does the all-mighty State go around this apparent dead end? I'm quite sure they don't just say: Oh well, nothing to get here, we better go look somewhere else for a lead..."

More important, have they ever comply in handing over User Account Information? Or where they ever compelled to do so in any way? Without any other limitation, like a particular IP or time-frame.

I mean, if this is the standard response to a standard request, in the case of an ongoing investigation, when the Judge grants permission to investigate a known individual, it would just be a matter of compelling the firm to hand over logs and all the info related to a single customer, assuming of course that the law has previously tied said individual to the VPN in question.

Let's assume for a moment, said person IS in fact a registered customer, and he/she happens to be in that pool of shared connections tied to that magic IP that they already have. What would prevent them (a prosecutor/law enforcement/government) to allege that that's MORE than circumstantial evidence?

Silly me, of course that would never happen, in this day & age, where 99% of Judges and Jury of your pairs are tech savvy...

I respectfully urge everyone to comment/criticize/explain what you can, since I lack both the legal and computer science background to reach withstanding conclusions.

Sorry for a long comment, but my main goal is that we must try to give every word and explanation a clear and unique meaning, so all of us can really weigh in all the facts, from all possible angles. (One of the most disgusting aspects of this Tyrant Government is this routine of outright lies, misleads, half-truths, misinterpretations, reinterpretations, deceits, and the like)

So the only (and the best) antidote is to thrive for the greatest level of transparency we can.

I think it's naive to assume that a warrant canary is going to solve the problem. First, as noted in the article, it is not tested in court, and a device that is explicitly designed to alert people to NSLs is almost certainly going to be deemed illegal by the same courts that issue the NSLs.

Second, a warrant canary will also be a death sentence to the company, so they might as well follow Lavabit's example. Either that, or setting up shop abroad.

It's disgusting that we have to discuss this in the first place. And most people around me are completely apathetic to this issue and the NSA leaks. Democracy is wasted on these people.

PIA may be a decent tool to circumvent country based content blocking, but if you care about your privacy you are way better of with a VPN provider outside the US. If the NSA or similar agencies ever request to install a little surveillance box in their data center, there is absolutely nothing the PIA guys could do, except for shutting down the whole thing. No company is above the law, no matter how criminal the law is or how pure the intentions of the company's owners are.

I use PIA to watch stuff on UK and Canadian TV websites. Plus the encryption keeps Comcast out of my business. I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

Does PIA allow you to stream using BBC iPlayer?

I used PIA to watch the Olympics when it was in the UK. Does this answer the question cause I does use iPlayer.

Then again, the lack of genuine peer-review - and the lack of interest in tech journalists in asking whether "VPN services" deploy competent encryption implementations (or not) - seems to be so well-entrenched at this point as to be taken for granted. How that happened, I can't actually explain... over the years, it's just become the bizarre default option for discussing this "industry."

Even the Snowden slides showing that the NSA is actively decrypting poorly-implemented "VPN service" data realtime doesn't seem to have made a dent.

Perhaps it's just that people paying for these services don't actually expect to be protected? Honestly, I don't know. To me, if I'm paying good money for "encryption" then I at least expect that the company can explain what it's doing, crypto-wise, without sounding like someone reading old versions of wikipedia articles on-the-fly...

I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

That. Stop doing that. Because it's exactly what every innocent person will believe right up until the point where an automated analysis system flags them for some bullshit reason, causing law enforcement to judge every action you take as wrongdoing and subsequently charge you with a vague interpretation of an obscure law you didn't even know or weren't allowed to know existed.

I've no reason to doubt these guys' sincerity, but in the current political climate "American company" and "stand up for privacy" sounds about as much of a possibility/likelihood as "Pall Mall Non-Filter thought to improve lung function". Perhaps a more sensible course of action would be to secure VPN access with a firm located in a country without secret courts and secret gag orders. For the time being, that is.

PIA may be a decent tool to circumvent country based content blocking, but if you care about your privacy you are way better of with a VPN provider outside the US. If the NSA or similar agencies ever request to install a little surveillance box in their data center, there is absolutely nothing the PIA guys could do, except for shutting down the whole thing. No company is above the law, no matter how criminal the law is or how pure the intentions of the company's owners are.

I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

That. Stop doing that. Because it's exactly what every innocent person will believe right up until the point where an automated analysis system flags them for some bullshit reason, causing law enforcement to judge every action you take as wrongdoing and subsequently charge you with a vague interpretation of an obscure law you didn't even know or weren't allowed to know existed.

Yup, still don't care. People getting wrongly accused is an unfortunate side effect of a governments intability to ever create a one size fits all solution. People get falsely accused of murder. Should we stop going after people for murder because a small fraction of people are innocent? Oh wait, that only happens to *other* people. Nothing the federal government does, has done, or will do, will ever come without some collateral damage.

Yup, still don't care. People getting wrongly accused is an unfortunate side effect of a governments intability to ever create a one size fits all solution. People get falsely accused of murder. Should we stop going after people for murder because a small fraction of people are innocent? Oh wait, that only happens to *other* people. Nothing the federal government does, has done, or will do, will ever come without some collateral damage.

Do. Not. Care.

You don't care that a system being *actively* abused by a government project because of 'collateral damage'?

There is a big difference between passively being accused of murder (wrong place/stupid activity around a crime scene etc.) and police tagging a person for a murder they *know* the accused did not commit. One can be demonstrably false and just needs to divert the path the system is currently treading. The second doesn't matter what demonstrably incorrect data is available, you have to have the ability to override the influences of the administrators within the systems.

Stopping a miscarriage of justice can be hard, stopping a miscarriage of justice when being actively pursued is significantly harder.

Legal Loophole for service providers to alert customers to secret government probes?

Service providers are legally compelled to NOT SAY anything when they get the letters.

Service providers are not legally compelled to CONTINUE saying things, at a guess.

So: if the service provider, like a VPN, each day pledges that they have not received any secret legal probes, but then one day fails to say anything, they still have not said anything to disclose the legal action, they have in fact committed absolutely nothing, which I doubt is a crime. And if it is a crime, then I think that would be quite interesting. I guess that a very carefully drafted order could compel them to continue claiming they are free of secret legal obligations, but I also suspect there would be a plenty good chance the secret order wouldn't be that carefully considered, there would be no "thou must continue pledging" clause, and the service provider would be safe to discontinue their pledge of freedom.

"If the flag is up, it means no secret order is in progress ""If the flag is not there, it means there is a secret order in progress that we must comply , so be aware, your communications could be wiretaped right now "

Sorry but i do not see how that warning system could survive before a court . The argument would be too silly

Legal Loophole for service providers to alert customers to secret government probes?

Service providers are legally compelled to NOT SAY anything when they get the letters.

Service providers are not legally compelled to CONTINUE saying things, at a guess.

So: if the service provider, like a VPN, each day pledges that they have not received any secret legal probes, but then one day fails to say anything, they still have not said anything to disclose the legal action, they have in fact committed absolutely nothing, which I doubt is a crime. And if it is a crime, then I think that would be quite interesting. I guess that a very carefully drafted order could compel them to continue claiming they are free of secret legal obligations, but I also suspect there would be a plenty good chance the secret order wouldn't be that carefully considered, there would be no "thou must continue pledging" clause, and the service provider would be safe to discontinue their pledge of freedom.

"If the flag is up, it means no secret order is in progress ""If the flag is not there, it means there is a secret order in progress that we must comply , so be aware, your communications could be wiretaped right now "

Sorry but i do not see how that warning system could survive before a court . The argument would be too silly

It's the same reasoning behind the Automobile Association in the UK having employees who would salute AA members as they were driving if there was no speed trap ahead, but would specifically not salute if there were a speed trap, on the basis that a person could not be prosecuted for failure to salute someone. It worked for over fifty years until they decided to scrap the program of having employees stand near speed traps because it was too expensive to employ that many people. It is ludicrous that VPN providers would have to do this, but the basic theory that a court order can't compel someone to lie is pretty sound. Especially if they chose to sign a sworn affidavit each day/month/etc that they had not received a gag order during that time period. An attempt to require them to continue signing the affidavit would mean compelling someone to commit perjury.

Legal Loophole for service providers to alert customers to secret government probes?

Service providers are legally compelled to NOT SAY anything when they get the letters.

Service providers are not legally compelled to CONTINUE saying things, at a guess.

So: if the service provider, like a VPN, each day pledges that they have not received any secret legal probes, but then one day fails to say anything, they still have not said anything to disclose the legal action, they have in fact committed absolutely nothing, which I doubt is a crime. And if it is a crime, then I think that would be quite interesting. I guess that a very carefully drafted order could compel them to continue claiming they are free of secret legal obligations, but I also suspect there would be a plenty good chance the secret order wouldn't be that carefully considered, there would be no "thou must continue pledging" clause, and the service provider would be safe to discontinue their pledge of freedom.

"If the flag is up, it means no secret order is in progress ""If the flag is not there, it means there is a secret order in progress that we must comply , so be aware, your communications could be wiretaped right now "

Sorry but i do not see how that warning system could survive before a court . The argument would be too silly

It's the same reasoning behind the Automobile Association in the UK having employees who would salute AA members as they were driving if there was no speed trap ahead, but would specifically not salute if there were a speed trap, on the basis that a person could not be prosecuted for failure to salute someone. It worked for over fifty years until they decided to scrap the program of having employees stand near speed traps because it was too expensive to employ that many people. It is ludicrous that VPN providers would have to do this, but the basic theory that a court order can't compel someone to lie is pretty sound. Especially if they chose to sign a sworn affidavit each day/month/etc that they had not received a gag order during that time period. An attempt to require them to continue signing the affidavit would mean compelling someone to commit perjury.

Ok, they are hoping that the law enforcement will force them to lie, so they can make that point, or do nothing.

There is a problem with that approach The question could be : Is the VPN provider communicating to its users if a secret order has been issued against them? The answer is definitely yes since they are communicating with tangible signals to their users that a secret order has been issued.

That was my point. Saying something is not the same as communicating something . The VPN provider, is just creating a language that everybody can understand with the end of communicate something very specific and tangible.

So, let just roll my eyes with this approach. It sounds more like a scam than anything else.

In case anyone hasn't seen it, TorrentFreak asked a bunch of VPNs whether they log, respond to legal requests, etc. and posted the 'good' ones: VPN Services That Take Your Anonymity Seriously, 2013 Edition. (Anyone else find it kind of disturbing that PIA thinks the DMCA applies to every country on the planet?)

Legal Loophole for service providers to alert customers to secret government probes?

Service providers are legally compelled to NOT SAY anything when they get the letters.

Service providers are not legally compelled to CONTINUE saying things, at a guess.

So: if the service provider, like a VPN, each day pledges that they have not received any secret legal probes, but then one day fails to say anything, they still have not said anything to disclose the legal action, they have in fact committed absolutely nothing, which I doubt is a crime. And if it is a crime, then I think that would be quite interesting. I guess that a very carefully drafted order could compel them to continue claiming they are free of secret legal obligations, but I also suspect there would be a plenty good chance the secret order wouldn't be that carefully considered, there would be no "thou must continue pledging" clause, and the service provider would be safe to discontinue their pledge of freedom.

"If the flag is up, it means no secret order is in progress ""If the flag is not there, it means there is a secret order in progress that we must comply , so be aware, your communications could be wiretaped right now "

Sorry but i do not see how that warning system could survive before a court . The argument would be too silly

It's the same reasoning behind the Automobile Association in the UK having employees who would salute AA members as they were driving if there was no speed trap ahead, but would specifically not salute if there were a speed trap, on the basis that a person could not be prosecuted for failure to salute someone. It worked for over fifty years until they decided to scrap the program of having employees stand near speed traps because it was too expensive to employ that many people. It is ludicrous that VPN providers would have to do this, but the basic theory that a court order can't compel someone to lie is pretty sound. Especially if they chose to sign a sworn affidavit each day/month/etc that they had not received a gag order during that time period. An attempt to require them to continue signing the affidavit would mean compelling someone to commit perjury.

Ok, they are hoping that the law enforcement will force them to lie, so they can make that point, or do nothing.

There is a problem with that approach The question could be : Is the VPN provider communicating to its users if a secret order has been issued against them? The answer is definitely yes since they are communicating with tangible signals to their users that a secret order has been issued.

That was my point. Saying something is not the same as communicating something . The VPN provider, is just creating a language that everybody can understand with the end of communicate something very specific and tangible.

So, let just roll my eyes with this approach. It sounds more like a scam than anything else.

It is a coded communication, yes. However, the gag order requires only that they not say anything, not that a lack of speech not communicate something. It is quite common in situations involving a gag order of any kind that when questioned on the subject of the gag order a person only say "I am not at liberty to speak on that subject" doing so does not violate the gag order, as they are neither speaking about the subject or saying specifically that a gag order is the reason they cannot speak. It nevertheless implies heavily to any reasonably astute listener that a gag order exists. And this is perfectly legal.

You can think it sounds like a scam if you like. It's still legal, and it would be quite hard to craft a law for which there is not similar loophole. And for as long as these bullshit gag orders are still being used, I hope every company starts using this loophole, it's the only way customers can have any reasonable amount of information about what their government is doing.

I really don't care if the NSA is still able to track me or law enforcement. Not doing anything that would pique their interest anyway.

That. Stop doing that. Because it's exactly what every innocent person will believe right up until the point where an automated analysis system flags them for some bullshit reason, causing law enforcement to judge every action you take as wrongdoing and subsequently charge you with a vague interpretation of an obscure law you didn't even know or weren't allowed to know existed.

But, hey, that stuff only happens to *other* people, right?

Actually, they already know me. Well. Very well. One signature, Pres. or Sec. Def., and 'I'm Back In The Uniform Now' facing a Court Martial. For whatever charges they might feel appropriate. So, if they reeeeaaly want an example. Seize yon machines and you'll figure out something or the other to charge me with. Potentially a lot and no, not piracy, nor porn. My interests don't go that way. I think dark thoughts about what (deservedly?) we have brought to our shores by our activities to date on the 'net, let alone the planet.

At least I'll be pretty much an automatic member of the largest gang in any prison in the U.S. Veterans . Hmm... any federal prisons needing talented IT support. Will work for reading material!